b'National Aeronautics and\nSpace Administration\n\nOffice of Inspector General\nWashington, DC 20546-0001\n\n                                                           January 31, 2011\n\n\nThe Honorable Barbara A. Mikulski\nChairwoman\nSubcommittee on Commerce, Justice,\n Science and Related Agencies\nCommittee on Appropriations\nUnited States Senate\nWashington, DC 20510\n\nThe Honorable Richard Shelby\nRanking Member\nSubcommittee on Commerce, Justice,\n Science and Related Agencies\nCommittee on Appropriations\nUnited States Senate\nWashington, DC 20510\n\n\nDear Madam Chairwoman and Senator Shelby:\n\nThe National Aeronautics and Space Administration Authorization Act of 2000 directs the\nNASA Inspector General to conduct an annual audit to assess the extent to which NASA is\ncomplying with Federal export control laws and with the Act\xe2\x80\x99s requirement that NASA\nreport to Congress regarding any cooperative agreements between the Agency and China or\nany Chinese company. 1\n\nThe NASA Office of Inspector General (OIG) last reported to you regarding these issues in\nFebruary 2010. Since that date, NASA has not entered into any cooperative agreements\nwith China or any Chinese company. In addition, during the past year the OIG has\nconducted several audits relating to NASA\xe2\x80\x99s compliance with Federal export control laws,\nincluding a series of audits examining the Agency\xe2\x80\x99s security controls for its information\ntechnology systems, many of which contain data subject to export control laws. With two\nexceptions, all of these audits are available in full or redacted form on the OIG\xe2\x80\x99s website at\noig.nasa.gov. 2 In addition to this audit work, the OIG\xe2\x80\x99s Office of Investigations closed five\n\n\n1\n    Public Law 106-391, codified at 42 U.S.C. \xc2\xa7 2475a(a)(3).\n2\n    The exceptions are \xe2\x80\x9cFederal Information Security Management Act: Fiscal Year 2010 Report from the Office\n    of Inspector General\xe2\x80\x9d (IG-11-005, November 10, 2010) and \xe2\x80\x9cReview of the Information Technology Security\n    of [a NASA Computer Network]\xe2\x80\x9d (IG-10-013, May 13, 2010).\n\x0c                                                                                                2\n\n\ninvestigations into the potential loss or sale of export-controlled data or technology. Below\nwe summarize our work during the past year.\n\n\nAudit Reports\nPreparing for the Space Shuttle Program\xe2\x80\x99s Retirement: A Review of NASA\xe2\x80\x99s\nDisposition of Information Technology Equipment (Report No. IG-11-009,\nDecember 7, 2010)\n\nAs part of a larger audit examining NASA\xe2\x80\x99s controls over the disposition of various types of\nSpace Shuttle Program property, we examined NASA\xe2\x80\x99s internal controls for the sanitization\nand disposal processes for information technology (IT) equipment at four NASA Centers.\nWe found significant weaknesses that resulted in computers and hard drives being sold or\nprepared for sale even though they still contained sensitive NASA data. For example, we\ndetermined that one Center released 10 computers to the public that had failed sanitization\ntesting and therefore may have contained sensitive NASA data. OIG auditors confiscated\nfour additional computers that had failed sanitization testing but were nevertheless being\nprepared for sale. Significantly, one of these computers contained data subject to export\ncontrol. We also found a lack of accountability for excessed hard drives at two Centers.\nThe most serious of these issues was the discovery of hard drives removed from excessed\ncomputers stored in an unsecured dumpster accessible to the public.\n\nDue to the importance of the issues we found at one Center, we immediately notified Center\nmanagers, who took action to address the issues. However, because we also found\nweaknesses at the three other Centers we visited, we made several recommendations to\nNASA\xe2\x80\x99s Chief Information Officer (CIO) related to immediate review of the adequacy of\nsanitization procedures and documentation of sanitization. In response to our\nrecommendations, the CIO stated that NASA\xe2\x80\x99s policies would be updated and a new IT\nsecurity handbook created. We did not consider the CIO\xe2\x80\x99s proposed actions responsive to\nour recommendations because we did not believe reviewing policy and procedures and\ndrafting a handbook was adequate to identify and correct potential serious deficiencies at the\nCenters. Moreover, the CIO\xe2\x80\x99s response did not reflect the sense of urgency we believed was\nrequired to address the serious security issues uncovered by our audit. After publication of\nour final report, the CIO sent us an updated response proposing actions we considered\nresponsive to our recommendations. Specifically, the CIO proposed meeting with all Center\nCIOs to identify deficiencies and best practices, issuing a NASA-wide directive to address\nsanitizing IT equipment prior to release to the public, reviewing applicable guidance and\nestablishing a methodology for verification testing, and updating NASA directives and\noperating procedures.\n\nReview of the Information Technology Security of [a NASA Computer Network]\n(Report No. IG-10-013, May 13, 2010, summary)\n\nWe evaluated the processes for continuously monitoring selected IT security controls on a\nNASA mission-critical computer network and found that NASA did not adequately protect\nthe network from potential security breaches and did not always ensure that key IT security\n\x0c                                                                                               3\n\n\ncontrols were monitored. We recommended that the CIO designate a NASA Directorate or\nCenter to immediately establish an oversight process for the network to include monitoring\nthe systems connected to the network for the presence of critical patches and technical\nvulnerabilities and review all other Agency mission network IT security programs to\ndetermine whether each contains an effective oversight process. The CIO concurred with\nour recommendations and outlined specific actions to be taken to address the deficiencies\nand a timeline for when those actions would occur.\n\nAudit of Cybersecurity Oversight of [a NASA] System (Report No. IG-10-018,\nAugust 5, 2010, redacted for public release)\n\nAfter a prior audit revealed that NASA did not adequately protect a mission-critical network\nfrom potential security breaches or consistently ensure that key IT security controls were\nmonitored, we evaluated the processes for continuously monitoring selected IT security\ncontrols on another NASA computer system. We found that the Agency\xe2\x80\x99s security controls\nincluded security awareness training for personnel; contingency planning related to\nsafeguarding data, to include file backups and alternative processing sites in case of a\ndisaster; procedures to protect system and information integrity, such as malicious code\nprotection; and comprehensive access controls. However, we also found several significant\nsecurity control weaknesses that could threaten the confidentiality, integrity, and availability\nof critical information on the system we reviewed. We recommended that NASA review\nsecurity plans annually for completeness and eliminate internal control weaknesses related\nto vulnerability scans, local administrator accounts, installation of unauthorized software,\nand hardware and software inventories on servers. In addition, we recommended that a\nreview of systems managed by contractors be completed to identify and correct similar\nsecurity control weaknesses that may exist in those systems. The CIO generally concurred\nwith our recommendations.\n\nInformation Technology Security: Improvements Needed in NASA\xe2\x80\x99s Continuous\nMonitoring Processes (Report No. IG-10-019, September 14, 2010)\n\nWe reviewed continuous monitoring processes at four Centers and found that those Centers\ndid not have effective processes in place to ensure their computer servers remained securely\nconfigured over time. We also found that the Agency lacked complete and up-to-date\ninventories, which could provide a means to verify that 100 percent of the computers in the\nAgency\xe2\x80\x99s network are subject to configuration, vulnerability, and patch monitoring. We\nrecommended that the CIO require the Centers to continuously monitor computer server\noperating system configuration settings and implement a process to verify that vulnerability\nmonitoring includes 100 percent of applicable network devices such as cell phones and\nsmart phones. Although the CIO\xe2\x80\x99s response to our draft report did not adequately address\nour concerns, following release of our final report the CIO proposed actions we considered\nresponsive to our recommendations.\n\x0c                                                                                           4\n\n\nReview of NASA\xe2\x80\x99s Management and Oversight of Its Information Technology Security\nProgram (Report No. IG-10-024, September 16, 2010)\n\nWe found that NASA\xe2\x80\x99s IT security program had not fully implemented key requirements of\nthe Federal Information Security Management Act (FISMA) that are needed to adequately\nsecure Agency information systems and data. Of the 29 NASA systems we reviewed, only\n7 met FISMA requirements for annual security controls testing and 15 met FISMA\nrequirements for annual contingency plan testing, and only 2 of the 5 external systems we\nreviewed were certified and accredited. These deficiencies occurred because NASA did not\nhave an independent verification and validation function for its IT security program to\nensure its effectiveness. We also found that NASA\xe2\x80\x99s Office of the CIO (OCIO) had not\neffectively managed corrective action plans used to prioritize the mitigation of IT security\nweaknesses. This occurred because OCIO did not have a formal policy for managing the\nplans. Another factor was that the information system that OCIO purchased to facilitate\nAgency-wide management of IT corrective action plans was underutilized and it contained\ncorrective action plans for only 2 percent of the 29 systems we reviewed. This occurred\nbecause OCIO did not follow recognized best practices, such as getting customer buy-in,\nwhen it purchased the information system.\n\nWe recommended that the CIO (1) establish an independent verification and validation\nfunction to ensure that all FISMA and Agency IT security requirements are met; (2) develop\na written policy for managing IT security corrective action plans; and (3) adopt industry\nsystem acquisition best practices, including documenting detailed requirements prior to\nsystem selection and conducting user acceptance testing before system implementation. The\nCIO concurred with our recommendations.\n\nFederal Information Security Management Act: Fiscal Year 2010 Report from the\nOffice of Inspector General (Report No. IG-11-005, November 10, 2010, summary)\n\nThis annual report, submitted as a memorandum from the Inspector General to the NASA\nAdministrator, provides the Office of Management and Budget (OMB) with our independent\nassessment of NASA\xe2\x80\x99s IT security posture. For FY 2010, we adopted a risk-based approach\nin which we selected high- and moderate-impact non-national security Agency systems for\nreview. We examined 40 systems that included systems from all 10 NASA Centers, NASA\nHeadquarters, and the NASA Shared Services Center. We reported to OMB that NASA\nestablished a program for certification and accreditation, security configuration\nmanagement, incident response and reporting, security training, Plans of Actions and\nMilestones, remote access, account and identity management, continuous monitoring,\nbusiness continuity/disaster recovery, and overseeing systems operated by contractors.\nHowever, we found that internal controls for these areas needed improvement.\n\x0c                                                                                             5\n\n\nInvestigations\nITAR-Restricted Data Posted on a Public Website\n\nAn OIG investigation revealed that data subject to restriction under the International Traffic\nin Arms Regulations (ITAR) had been posted to the pay-for-access portion of a public\nwebsite. Criminal prosecution was declined due to the lack of evidence pinpointing\nspecifically who had released the data and the absence of any monetary motive for the\nrelease. We made NASA management aware of the release.\n\nAttempted Sale of Saturn V Engines\n\nOIG investigators found that the widow of a former NASA employee was attempting to sell\ntwo Saturn V rocket engines. When confronted, the widow agreed to return the engines to\nNASA.\n\nComputer Intrusion of a JPL Shared Server\n\nAn OIG investigation uncovered the infiltration of a Jet Propulsion Laboratory (JPL) shared\nserver through the compromised e-mail account of a JPL employee. The infiltration caused\nan unknown amount of damage and compromised approximately 22 gigabytes of data. The\nshared server contained proprietary computer-aided design data and potential ITAR-\nrestricted information. A referral to NASA management from the OIG highlighted the\ninternal weaknesses that allowed the infiltration.\n\nAttempted Sale of Rocket Propellant Technology to a Foreign Country\n\nAn undercover investigation revealed that an individual was seeking to obtain U.S.\nGovernment rocket propulsion technology for the purpose of exporting the technology to the\nRepublic of South Korea. The individual was arrested and charged with engaging in\nprohibited brokering activities related to defense articles. The individual pled guilty and\nwas sentenced to 57 months in prison followed by 3 years of supervised release.\n\nInappropriate Access to Export-Controlled Data Granted to Australian Citizen\n\nA citizen of Australia was inappropriately given access to the Kepler Mission Control\nFacilities\xe2\x80\x99 website maintained by an Ames Research Center contractor. Access was granted\nbecause the NASA employee responsible for requesting access mistakenly assumed that the\nAustralian was a U.S. citizen based on the fact that he had been issued a NASA e-mail\naccount. Access was revoked 4 months after being granted and it was determined that no\nadverse impacts to national security or foreign policy objectives resulted from the incident.\nTraining and procedural improvements were implemented to prevent recurrence.\n\x0c                                                                                              6\n\n\nIf you or your staff would like to meet with us to discuss any of the reports or investigations\ndiscussed in this letter, please contact me or Renee Juhans, OIG Executive Officer, at\n202-358-1220.\n\nSincerely,\n\n\n\nPaul K. Martin\nInspector General\n\ncc:   Charles F. Bolden, Jr.\n      NASA Administrator\n\n      Lori B. Garver\n      Deputy Administrator\n\n      David Radzanowski\n      Chief of Staff\n\n      Linda Cureton\n      Chief Information Officer\n\n      Jack Forsythe\n      Assistant Administrator, Office of Protective Services\n\n      Michael O\xe2\x80\x99Brien\n      Associate Administrator, International and Interagency Relations\n\n      Michael Wholley\n      General Counsel\n\x0c                                                                              7\n\n\n\nIdentical letter to:\n\nThe Honorable John D. Rockefeller, IV   The Honorable Frank Wolf\nUnited States Senate                    U.S. House of Representatives\n\nThe Honorable Kay Bailey Hutchison      The Honorable Chaka Fattah\nUnited States Senate                    U.S. House of Representatives\n\nThe Honorable Bill Nelson               The Honorable Darrell Issa\nUnited States Senate                    U.S. House of Representatives\n\nThe Honorable David Vitter              The Honorable Elijah Cummings\nUnited States Senate                    U.S. House of Representatives\n\nThe Honorable Joseph I. Lieberman       The Honorable Ralph Hall\nUnited States Senate                    U.S. House of Representatives\n\nThe Honorable Susan M. Collins          The Honorable Eddie Bernice Johnson\nUnited States Senate                    U.S. House of Representatives\n\n                                        The Honorable Paul Broun\n                                        U.S. House of Representatives\n\n                                        The Honorable Donna Edwards\n                                        U.S. House of Representatives\n\n                                        The Honorable Steven Palazzo\n                                        U.S. House of Representatives\n\n                                        The Honorable Jerry Costello\n                                        U.S. House of Representatives\n\x0c'